So you're in the Joe Grand opening warmup act or go pro or get the fuck out, which they
wouldn't say in the marketing promotions for this. This is a fairly short talk, but Todd
and I have basically been working on messing around with these cool, awesome cameras.
For 20 minutes. In 20 minutes. Which we actually just for
20 minutes before the talk. Our entire research project is 40 minutes
long, including this talk. Right. So our agenda, the, you know, the
intro that ‑‑ which we will cover ‑‑ Entourage, motherfuckers, do you speak it?
Wow. Only a 20‑minute talk and he just lost three of it. That's too bad.
Uh‑oh. Excuse me. This is completely expected.
You should have showed up prepared for this. Why are we here?
Shit. Why are we here?
Yeah, why are we here? We are here ‑‑ yeah.
We ‑‑ we ‑‑ we figure that they have spot the Fed, we have shot the noob.
Noob has a number of meanings, and so there's only one that applies.
So we also need somebody from the audience who's a new person. You, sir.
Preferably a female. Oh, well ‑‑ Once again, he's midway
through the change. Come on up. I'll take two.
Okay. You know, guys, try to get ‑‑
Act like they're going to make you drink, but they won't give you two. I mean, I don't
know. I guess ticket prices are going to be a little higher next year, y'all.
Oh, see, now you only have ‑‑ now you have four minutes left.
Damn it. All right.
That's all right, because we didn't really have the material.
Shut up and drink. All right, shut up and drink.
Go pro GTFO. Thank you, young lady.
Do I get a go pro? You know, I thought about it, but no, you
don't. The young lady, you know, might have gotten
the go pro. Bring more booze next time, fellas.
Okay. So continuing on. So we'll have our brief intro. We
basically didn't do that already while drinking. Talk a little bit about the go pro due to time
we're going to gloss over some stuff. We're going to cite previous research because we're
not the first ones to mess with this, but we want to give credit where credit is due.
We'll talk a little bit about what we've done so far. We're certainly not finished. As well
as some of the things that have kind of come out of this, this research up to this point.
We'll talk a little bit about what we're going to do next and then finally we'll conclude
with a bunch of useless slides. First, Todd. What's up? I'm Todd Manning, senior
research consultant at Accuvant Labs. Horror for hire, you know. I used to work at Breaking
Point managing their security research team and now I turn it over to my co‑presenter.
ZACH LANIER, ACCUVANT LABS. I'm Zach Lanier or some of you know me as Quine. I'm
also a senior research consultant ‑‑ that's awesome. I'm not even wearing a dress this
year. He is wearing panties, though. Backwards. I'm also a senior research consultant
with Accuvant Labs. Just old timey net web app mobile pen tester guy. Anyway, so why
did we pick the Go Pro? Because I had one, basically. It's an incredibly
popular device. It's a very popular device. It's a very popular device. It's a very popular
camera. I'm sure some of you have seen it out in the wild used in music videos featuring
scantily clad men and women and skateboarders who put them on their skateboards in fall
a lot, like me. It's Wi‑Fi enabled which was attractive because it's got all these
cool features on it that you can use your phone to control the camera. One of the more
interesting facts is there's a company called Ambarella that makes these eponymously named
SOCs that are used not only in the Go Pro but also in commercial security installations
which we found to be intriguing. So that's, you know, another future research thing. We
focus mainly on the Go Pro Hero 3 Black Edition which is what we've got up here. So a lot
of the details that will be in here will apply. But some of the hardware is a little bit different
as we'll kind of see a little bit later. And plus it's really extreme ‑‑ I can't say
that with much more emphasis. But ‑‑
I can. It's fucking extreme. Mountain Dew. So anyway. So an overview of the Go Pro. It
features an Ambarella mistyped A770 camera SOC. So they basically just stamped this SOC
with, like, an ARM V6 core with all of, like, all the other usual things you'd expect, JTAG,
UART, blah, blah, blah, blah, blah, blah, blah. And their IOs for their light sensors
and accelerometer, whatever. And then they put this stupid LCD on it. And then they put
on this Etherus wireless controller, which has Bluetooth but they don't use it. I don't
know why. And there's a bunch of other stuff that's really not relevant to security or
hacking this thing. But in any case, it has a lot of stuff that's not used. All packed
into this tiny little ‑‑ subj.com. Tiny little form factor.
Okay.
Okay.
I'll do this one. I figured it was my turn to talk. Okay. So one interesting thing,
the first thing that we kind of found when we busted this camera open, it runs two operating
systems, not just one. So two for the price of one. One is the ITRON embedded operating
system. It's kind of like this open source sort of realtime operating system standard,
really. So the version that runs on here is kind of one implementation to the other.
The standard developed by a Japanese academic in the 90s, I guess. So it's primarily responsible
for the operation of the camera. So capturing images, doing encoding of video, that kind
of thing. And then it also runs Linux kernel version 2.6.38.
So the way the realtime OS works, if you guys know about that, typically there's a bunch
of threads that are all doing different things. One thread is dedicated to running Linux and
so basically the Linux operating system is on there to run some of the sort of higher
order functions that deal with remote control of the camera via, like, mobile application,
that kind of thing. And so, yeah, two operating systems. There's a private network that runs
in between the two. The networking address is given here, 10.9.9 slash 24. And then
the realtime operating system side runs one web server that kind of handles certain requests,
actually looks like it serves up some of the, like, preview mode files, and then the
Linux side runs the version of the open source Cherokee web server that handles actually
taking requests from the mobile remote control applications and then passes command to the
commands from that on to the realtime operating system via mechanism we'll describe shortly.
Yeah. So some previous research, right? So looking into this camera, it's like, somebody's
got to know something about it, right? Otherwise we're screwed. So the OG of, like, you know,
GoPro, kind of, like, dissection is this cat called Evil Wombat hangs out on the GoPro
user forum. Super real friendly guy that I've talked to, real willing to give information
about how it works. He's developed a number of open source tools that are available on
GitHub slash Evil Wombat. He's got ‑‑ let's see, he's an ARM firmware developer,
is all he's told me. I know he lives on the west coast.
Other than that, you know, I haven't really talked to him for more than just a few hours.
Stop dropping docs. Okay. Anyhow. Sorry about that. Let's see. So, yeah, so in his firm
‑‑ in his repository he's got, like, tools for breaking apart the firmware updates
that come from GoPro so that you can kind of, like, do some further analysis yourself,
breaks them up into different sections. He's got a tool that will let you connect to your
USB and then boot your own custom Linux kernel so that if you, you know, brick your camera
like I've done, you can, you know, ostensibly unbrick it. There are some cases where that
doesn't actually work. But, yeah, real nice guy that has made some tools and so, you know,
has ‑‑ we've stood on the shoulders of at least, you know, one giant and that would
be Evil Wombat. So if you're here, man, I'll buy you, like, dinner and a drink and, you
know, take you to a movie. You're a real star.
You're a sweet person. Go ahead.
So one of the things that Evil Wombat provided was this autoexec.ash script which
we mentioned here. And that's for the Ambarella shell. So if you put that on to the SD card,
at the root of the SD card in the GoPro, it will basically autoexec whatever you put
in there. So ‑‑
Can I correct that?
Yeah.
So it wasn't that he provided it. It's rather he discovered that the camera will execute
a script called autoexec.ash that's in the camera.
In the root of the SD card. And so there are a number of, like, commands that you can provide.
And he kind of gave us our first foothold into understanding what it was that we could
do, you know, with the camera by doing that.
Right. That's better. And so one of the things is this ‑‑ there's actually a command
in the Ambarella shell called T. And it does a lot of low‑level control of the RTOS.
And in this case, it actually ‑‑ what you see down at the very bottom, this T actually
does an app test, USB RS 232, one, sets that it will just basically provide a serial console
over USB. So it gives you this access to the RTOS's Ambarella shell.
One of the things that you should ‑‑ there's a slew of commands in there that we can't even
go through in even 30 minutes. But one of the things you shouldn't do is run, as someone
did, the T NAND op erase command, which successfully bricks your camera. So don't do that.
Yeah, I would say don't do that. When you run that command, you know, and that heinous
deleting all the NANDs comes up, you don't die right at that moment. But when you reboot,
you really wish you hadn't. Let me just put it that way.
One of the other commands that Evo Wombat shared or discovered and shared was this
LU UTIL command. And what this effectively does is allows the RTOS to talk to the Linux
task over this IPC channel. And one of the things that it does is there's an exec parameter.
And that will effectively allow ‑‑
Yeah.
The RTOS to instruct Linux to execute any command. As rude like you do. So in this
case, these snippets here, as provided effectively by Evo Wombat, kill the Cherokee web server
and start Telnet D listening on 80. Because 8080 externally is forwarded to 80 internally
on Linux. So that's really the only port that you can ‑‑ one of the only ports you
can get to externally on the Linux internal operating system.
So effectively it just kills Cherokee and runs Telnet on 80, which drops you directly
into a root shell. Like you do. So, you know, we are here, hey, cool, we got root on a camera.
Yay. Everyone go home. Todd's a bad‑ass. So a little bit about the methodology and
kind of findings that we did. One of the first things that we actually looked at while
maybe drinking was looking at the GoPro app mode of the camera. So it runs in one of two
modes, Wi‑Fi remote or GoPro app. The first of which is this GoPro app mode. And that
allows you to install a Linux or iOS app on your device. The camera acts as an access
point. You associate with it with your mobile device of choice. And it connects to those
two web servers. The web server that it talks to on 80 is the one running in ITRON that
it uses as a control channel and for retrieving and setting configuration directives. And
then on 8080, it actually retrieves this ‑‑ this control channel. And then on 8080, it
actually retrieves this streaming preview. And what's interesting about this is ‑‑ and
by the way, the Wi‑Fi backpack uses 10.5.5.9. There are a few interesting things about this.
One, it uses MDNS for discovery, as we kind of observed. But it connects to 10.5.5.9
anyway. That's hard coded in there. So I don't know if it's a fallback or what. Whatever.
The other thing is that it uses MPEG TS for streaming of the preview video. But what it
does is it continually retrieves this playlist, like an MUA file or whatever. And in that,
file, each time are 8.3 second video files that it retrieves. So it's not really streaming
the data directly so much as just retrieving these, like, you know, .3 second files, playing
one, retrieving the next one, playing that, retrieving the next one, playing that, retrieving
the playlist again, and then retrieving a new set of files. And this just kind of rotates
through. You can actually just point QuickTime or VLC
or whatever insecure media player you like at the MUA file. And, effectively, you can
just stream the preview video from the camera, kind of turning it into a surveillance device
if you so actually were able to authenticate and associate with it.
We ask that the NSA not avail themselves of that offensive technology, please.
Right.
So the other mode that's notable is the Wi‑Fi remote mode.
This one we find to be a little more interesting, which we can discuss in the hallway track.
In this case, the Wi‑Fi remote, which I don't know if we have with us, it's the smaller
device, a little key chain device.
In this case, the camera acts as a mobile station or client and associates to the AP,
which is the remote.
When you first pair them, it just scans for an ESS ID of hero dash RC dash XXXXXX, where
those are the last three octets of the ‑‑ of a given remote.
Once it's paired, it will record that information and prefer that, but you can always pair it
to a new remote.
So you can draw your own conclusions as to what attacks might be.
It's also totally open.
There's no security whatsoever, so you can just associate with a remote if you see one.
We're still sort of exploring what the implications are about attacking the remotes, but anyway.
Network attack surface.
The Cherokee web server runs as root, even though it listens on an unprivileged port
on the Linux side of things.
We notice that there are absolutely no additional mitigations.
The compiler options and the linker options are available.
Like, on the file system of the camera, so you can totally have fun there.
The executable base itself is not randomized, so, you know, reliability of a payload is
not really difficult if you find a bug, which some people might have.
So we're, like, at five minutes, so ‑‑ ITRON side ‑‑
Okay.
So like we said, two web servers.
On the realtime OS side, on the ITRON side.
There are these URLs that the remotes connect to, to engage different behavior of the camera
itself.
Some are configuration type commands that will, you know, reconfigure capture settings
for the camera that will, you know, start recording, stop recording, that kind of thing.
Basically, you know, once you connect to the Wi‑Fi access port, you're going to be able
to just hit these in a browser and kind of reconfigure the camera willy‑nilly.
We're working on a Ruby‑based library that basically acts as the control.
Let's see.
And then it actually ‑‑ it passes the pass phrase in.
And I haven't found the code path that cares about that.
And I'm not sure why that happens.
But it seems kind of silly.
I mean, I guess it's, you know, the key is protected by WPA, so whatever.
But, yeah.
It seems kind of strange.
And, basically, once you, you know, if you were to find a bug, you know, in either the
real‑time OS or the Linux side, you know, I guess from the real‑time OS side, you're
done.
If you find, like, a Cherokee bug, for instance, then you've got some work to do there to
bridge the gap over to the real‑time OS side.
In terms of local attack surface, again, everything runs as root.
So there are a lot of things you can do.
There is no privilege separation.
Everything except for the actual ‑‑ so, sorry.
All the libraries are loaded at randomized addresses.
The web server itself.
So Cherokee and the Cherokee worker load their images at hex 8,000.
There's actually a couple of sections that get mapped there.
Sorry.
8,000.
And then, like, hex 8300.
Let's see.
It runs busy box, so there's ‑‑ excuse me, there are some useful, you know, busy
box utilities there, but there's no, you know, build tools or no net cat, you know, sometimes
you see that on, like, random busy box devices.
I feel like you want to break in there, my friend.
So basically it's just ‑‑ ASLR is enabled system‑wide, but pretty much every executable
base is mapped at a static address or always mapped at static addresses, so it's not terribly
difficult to get, like, reliable code exact.
I feel like I had already said that, actually, but, you know, maybe not.
So there are a number of, like, interesting, you know, quote, unquote, services that are
running.
A couple of them listening on TCP ports 7878 and 7877.
They handle JSON ‑‑ well, one of them handles JSON formatted messages from the
ITRON side, which I thought was kind of strange.
They basically it's, you know, their mechanism of communicating across, like, these two operating
systems.
So they share the same memory and they're kind of using, like, this queue‑based message
passing thing.
And, hey, it's a great time to talk about that.
So the ‑‑ we're, like, two ‑‑ we have, like, two minutes left, so we'll probably
breeze through all this.
Whatever.
Running IPCS-P, we see that there are these message queues that are there and they point
to this AMBA MQT.
The message queue handler, which is for receiving and sending messages from Linux to ITRON.
Worth exploring.
They're on the ITRON side.
And Amchel, you can run IPC prog, I know it's probably hard to read, but it just spits
out, like, a thousand bajillion lines of all these different IPC programs that are registered.
So it's kind of like SunRPC‑ish.
There's a program ID that maps to a specific program that's actually listening in this
IPC channel.
So that's a good thing.
And that's basically all we're going to talk about for there because we're running out
of time.
Future research.
Remote monitoring.
Legitimate monitoring using, like, bespoke or third‑party clients, using the camera
to spy.
That sounds really cool.
Next thing would be to dump firmware from the Wi‑Fi remote as well as deal with this
fancy little GoPro 30‑pin bus interface, which is remarkably similar to the Apple iPod
30‑pin connector.
And it uses things for, like, LCD and a bunch of other stuff.
So that's a good thing.
Backdoors, persistence, blah, blah, blah.
So with that, we're going to be releasing code eventually, maybe like, I don't know,
tomorrow when we're sober, at GitHub.com slash Quine slash GoPro GTFO.
So watch that space over the next couple months.
We'll have some stuff up there.
And finally, if you want to reach us, T Manning on Twitter, Quine on Twitter, or e‑mail
us, and then these are really cool people down at the bottom.
And if you aren't on that, you should be.
We're really sorry.
We're out of time, so we'll take questions in the hallway track, I guess.
Thank you for coming.
The lovely Todd.
